HashiCorp Vault for the Non-Technical
HashiCorp Vault, or simply Vault for short, is a multi-cloud, API driven, distributed secrets management system. If none of that makes sense, fear not. Grab a cup of your favorite tea or coffee and spend five minutes while we explain HashiCorp Vault with simple analogies and a bit of cryptographic history.
What is Secrets Management?
Let’s start with secrets. Throughout history humans have built various ways to hide sensitive information or keep it secret. Sometimes we refer to this as cryptography, the art of writing or solving codes. One of the most common uses for cryptography is to keep sensitive data hidden from view. You could also call this secrets management.
Secrets management is nothing new. One of the most common types of secret is the password. Passwords have been with us for thousands of years. Roman sentries would use passwords written on wooden tablets to protect their encampments from spies and enemies. Combination locks are a primitive form of password. And of course, passwords have been with us since the dawn of computing.
The Origins of the Computer Password
Here’s a little known secret…computer passwords were never designed for security. The grandfather of the modern computer password, MIT professor Fernando Corbato, simply wanted a way to keep users’ files separate on a mainframe computer. This was back in 1961. It was only a year later that the world’s first documented incident of password theft occurred when another computer scientist managed to print a copy of the master password list. The passwords were soon common knowledge. Users began to log onto other accounts and taunt the lab director with humorous messages in what may be the first documented incident of Internet trolling.
Passwords were a terrible security measure, and Professor Corbató admitted as much in a 2014 interview:
“Unfortunately it’s become kind of a nightmare with the World Wide Web. I don’t think anybody can possibly remember all the passwords that are issued or set up. That leaves people with two choices. Either you maintain a crib sheet, a mild no-no, or you use some sort of program as a password manager. Either one is a nuisance.”
The classic 80's hacker movie WarGames highlights our password problem perfectly. In the movie teenager David Lightman manages to guess Professor Falken’s password and gain back door access to the NORAD computer system, the W.O.P.R. If you haven’t seen WarGames yet, rent it this weekend and learn what it was like to connect to the the net back in 1983.
For better or worse the computer password was here to stay. In the early days of the Internet nobody cared about security. It was just a bunch of college professors and students posting files and messages to newsgroups and bulletin board systems. As the internet continued to expand during the 80s, 90s and 2000s, password usage increased exponentially. Unfortunately, so also did password theft. Various attempts have been made over the years to improve password security. Most websites and applications have complexity and length requirements for passwords, making it even more onerous for users to remember them all.
Personal Password Managers
Enter the password manager. You may have heard of applications such as LastPass or 1Password. These applications are designed to simplify things by giving you a password vault where you can store all your passwords. This way you only have to have one master password that can be used to unlock the rest of your passwords. Most modern web browsers also have built-in password storage that you can unlock with a master password or even a fingerprint. The basic idea is the same. Forget about memorizing all your passwords, just store them in a password vault and fetch passwords from the vault when you need them.
Think for a moment about all the websites and applications where you have an account. Each one of them is supposed to have its own separate, complex password that is not shared anywhere else. Now imagine this problem and multiply it a thousand fold. This is the problem faced by any organization that uses computers, which is basically all of them. Well, maybe not the Amish. But certainly every company has passwords and secrets that have to be managed.
You see, in the world of internet applications, passwords are just the tip of the iceberg. There are many other types of secrets that are used not only for humans to log onto machines and apps, but for machine-to-machine communication as well. The simple process of logging onto your bank’s website involves a complex web of transactions that may touch dozens or hundreds of different computers. All of that communication has to be safely encrypted and kept private to protect your personal financial data.
The basic problem is still the same. How do we protect secrets and sensitive data from prying eyes, while still being able to use those secrets for secure communication. It’s a tricky problem to solve.
Use Case #1: Password Storage
This is the problem that HashiCorp Vault aims to solve. How can large companies and organizations protect their passwords and other sensitive information? You can think of Vault as a kind of supercharged password manager that businesses use in the cloud to secure their secret data.
When you think of the word vault, you might imagine a huge safe in a bank with a big heavy door. Vault can certainly store your passwords, but it can do a lot more. Another useful analogy is the hotel front desk…
Use Case #2: Dynamic Credentials
Whenever you walk into a hotel and approach the check-in desk, what’s the first question the staff asks?
“May I please see a valid form of identification and a credit card?”
In order to check in and get your room keys you must identify yourself. Once you’ve provided a valid identity and proof that you have a reservation (and can pay for it), you’ll get some room keys. Most modern hotels use plastic key cards with a magnetic stripe. Depending on the length of your stay and type of reservation, your key cards will be able to access different parts of the hotel. Your keys will open your hotel room, the gym, the front door and perhaps the executive lounge if you have enough travel points. These hotel keys are uniquely coded for each guest, and they have an expiration date. After your reservation is complete the keys expire and no longer work to access anything in the hotel.
In this simple example, Vault is like the front desk of the hotel, while the rest of the hotel facility represents your IT infrastructure. Vault is the central location where you can identify as an application or human user, and fetch secrets that grant you access to different parts of the environment. For example, you may store the password to a Linux server in Vault, and allow access only to the sysadmin team.
Or you may have an application that needs the username and password for its database. Vault can even generate dynamic passwords that expire, just like those hotel room keys. If you lose your hotel key, no problem! Visit the front desk and they’ll make you another one. You will of course, have to produce some valid identification to get a new key. Just make sure you’re wearing pants if you get locked out of your room!
Use Case #3: Encryption as a Service
So far we’ve covered two of the main uses for Vault, namely password storage, and generating dynamic credentials that expire like hotel keys. Vault can also be used to encrypt any plain text into an encoded form that is nearly impossible to crack, even with a supercomputer. Think about that scytale device in the photo earlier in this post. This was a simple encryption device used by ancient Greeks to deliver sensitive information on the battlefield. Cracking the code only requires a stick with the same diameter as the one used to encode the text. A more modern example would be the secret decoder ring, like the one featured in the movie A Christmas Story.
The basic idea behind encryption as a service is just like that decoder ring or the Enigma machines of World War II. If you had the right formula or machine, you could encode and decode secret messages. Fortunately for us modern encryption is much harder to crack than a simple strap of leather wrapped around a belt. Vault is a super-powered decoder ring. It lets you encrypt any kind of sensitive data such as credit card numbers, personal information, or passwords. You can also use Vault to decrypt the same data. Or you can have one application perform the encryption, and another application do the decryption.
Summary
HashiCorp Vault, is a multi-cloud, API driven, distributed secrets management system. Vault can be used for the following purposes:
- Store any type of password or secret data
- Generate temporary, expiring credentials that work like disposable hotel keys
- Encrypt any type of sensitive data so that it cannot be read by unauthorized individuals, even on untrusted networks
